Tighten up security of automation project (CSPR-related) (#2009)

* enforce compute/iam policies on the automation project

* tests

fast/stages/0-bootstrap/automation.tf

@@ -108,32 +108,47 @@ module "automation-project" {
       role   = "roles/serviceusage.serviceUsageViewer"
     }
   }
-  services = [
-    "accesscontextmanager.googleapis.com",
-    "bigquery.googleapis.com",
-    "bigqueryreservation.googleapis.com",
-    "bigquerystorage.googleapis.com",
-    "billingbudgets.googleapis.com",
-    "cloudbilling.googleapis.com",
-    "cloudbuild.googleapis.com",
-    "cloudkms.googleapis.com",
-    "cloudresourcemanager.googleapis.com",
-    "container.googleapis.com",
-    "compute.googleapis.com",
-    "container.googleapis.com",
-    "essentialcontacts.googleapis.com",
-    "iam.googleapis.com",
-    "iamcredentials.googleapis.com",
-    "orgpolicy.googleapis.com",
-    "pubsub.googleapis.com",
-    "servicenetworking.googleapis.com",
-    "serviceusage.googleapis.com",
-    "sourcerepo.googleapis.com",
-    "stackdriver.googleapis.com",
-    "storage-component.googleapis.com",
-    "storage.googleapis.com",
-    "sts.googleapis.com"
-  ]
+  org_policies = var.bootstrap_user != null ? {} : {
+    "compute.skipDefaultNetworkCreation" = {
+      rules = [{ enforce = true }]
+    }
+    "iam.automaticIamGrantsForDefaultServiceAccounts" = {
+      rules = [{ enforce = true }]
+    }
+    "iam.disableServiceAccountKeyCreation" = {
+      rules = [{ enforce = true }]
+    }
+  }
+  services = concat(
+    [
+      "accesscontextmanager.googleapis.com",
+      "bigquery.googleapis.com",
+      "bigqueryreservation.googleapis.com",
+      "bigquerystorage.googleapis.com",
+      "billingbudgets.googleapis.com",
+      "cloudbilling.googleapis.com",
+      "cloudkms.googleapis.com",
+      "cloudresourcemanager.googleapis.com",
+      "essentialcontacts.googleapis.com",
+      "iam.googleapis.com",
+      "iamcredentials.googleapis.com",
+      "orgpolicy.googleapis.com",
+      "pubsub.googleapis.com",
+      "servicenetworking.googleapis.com",
+      "serviceusage.googleapis.com",
+      "sourcerepo.googleapis.com",
+      "stackdriver.googleapis.com",
+      "storage-component.googleapis.com",
+      "storage.googleapis.com",
+      "sts.googleapis.com"
+    ],
+    # enable specific service only after org policies have been applied
+    var.bootstrap_user != null ? [] : [
+      "cloudbuild.googleapis.com",
+      "compute.googleapis.com",
+      "container.googleapis.com",
+    ]
+  )
 }
 
 # output files bucket

modules/project/main.tf

@@ -59,6 +59,7 @@ resource "google_project_service" "project_services" {
   service                    = each.value
   disable_on_destroy         = var.service_config.disable_on_destroy
   disable_dependent_services = var.service_config.disable_dependent_services
+  depends_on                 = [google_org_policy_policy.default]
 }
 
 resource "google_compute_project_metadata_item" "default" {

tests/fast/stages/s0_bootstrap/checklist.yaml

@@ -361,7 +361,7 @@ counts:
   google_bigquery_default_service_account: 3
   google_logging_organization_sink: 3
   google_logging_project_bucket_config: 3
-  google_org_policy_policy: 13
+  google_org_policy_policy: 16
   google_organization_iam_binding: 23
   google_organization_iam_custom_role: 6
   google_organization_iam_member: 35
@@ -380,4 +380,4 @@ counts:
   google_tags_tag_key: 1
   google_tags_tag_value: 1
   modules: 16
-  resources: 177
+  resources: 180

tests/fast/stages/s0_bootstrap/simple.yaml

@@ -17,7 +17,7 @@ counts:
   google_bigquery_default_service_account: 3
   google_logging_organization_sink: 3
   google_logging_project_bucket_config: 3
-  google_org_policy_policy: 13
+  google_org_policy_policy: 16
   google_organization_iam_binding: 23
   google_organization_iam_custom_role: 6
   google_organization_iam_member: 22
@@ -37,7 +37,7 @@ counts:
   google_tags_tag_value: 1
   local_file: 7
   modules: 15
-  resources: 168
+  resources: 171
 
 outputs:
   custom_roles: